blob: 79ea62783afa3c18d3887474499f914fcfed47bf [file] [log] [blame]
Damien Miller263d68f2002-06-22 00:45:50 +10001Privilege separation, or privsep, is method in OpenSSH by which
2operations that require root privilege are performed by a separate
3privileged monitor process. Its purpose is to prevent privilege
4escalation by containing corruption to an unprivileged process.
5More information is available at:
Kevin Steves02281552002-05-13 03:57:04 +00006 http://www.citi.umich.edu/u/provos/ssh/privsep.html
7
Damien Miller263d68f2002-06-22 00:45:50 +10008Privilege separation is now enabled by default; see the
9UsePrivilegeSeparation option in sshd_config(5).
Kevin Steves02281552002-05-13 03:57:04 +000010
11When privsep is enabled, the pre-authentication sshd process will
12chroot(2) to "/var/empty" and change its privileges to the "sshd" user
13and its primary group. You should do something like the following to
14prepare the privsep preauth environment:
15
16 # mkdir /var/empty
17 # chown root:sys /var/empty
18 # chmod 755 /var/empty
19 # groupadd sshd
20 # useradd -g sshd sshd
21
Tim Rice1e28c9e2002-05-13 17:07:18 -070022If you are on UnixWare 7 or OpenUNIX 8 do this additional step.
23 # ln /usr/lib/.ns.so /usr/lib/ns.so.1
24
Kevin Steves02281552002-05-13 03:57:04 +000025/var/empty should not contain any files.
26
27configure supports the following options to change the default
28privsep user and chroot directory:
29
Damien Miller74cc5bb2002-05-22 11:02:15 +100030 --with-privsep-path=xxx Path for privilege separation chroot
Kevin Steves02281552002-05-13 03:57:04 +000031 --with-privsep-user=user Specify non-privileged user for privilege separation
32
33Privsep requires operating system support for file descriptor passing
34and mmap(MAP_ANON).
35
Damien Miller263d68f2002-06-22 00:45:50 +100036PAM-enabled OpenSSH is known to function with privsep on Linux.
37It does not function on HP-UX with a trusted system
Kevin Stevesf8defa22002-05-13 23:31:09 +000038configuration. PAMAuthenticationViaKbdInt does not function with
Kevin Steves02281552002-05-13 03:57:04 +000039privsep.
40
41Note that for a normal interactive login with a shell, enabling privsep
42will require 1 additional process per login session.
43
44Given the following process listing (from HP-UX):
45
46 UID PID PPID C STIME TTY TIME COMMAND
47 root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0
48 root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv]
49 stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2
50 stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash
51
52process 1005 is the sshd process listening for new connections.
53process 6917 is the privileged monitor process, 6919 is the user owned
54sshd process and 6921 is the shell process.
55
Damien Miller263d68f2002-06-22 00:45:50 +100056$Id: README.privsep,v 1.6 2002/06/21 14:45:50 djm Exp $